Analysis of an attack (Part 2)

Analyzing an attack (Part 1)

Don Parker

We have already introduced you in a section of observable information while opening the package string sent by Nmap. The sent string starts with an ICMP echo response to determine if the computer or network has been assigned to the IP address. In addition, we can guess that the network of the hacked computer is the network built on Windows by relying on the ttl in the ICMP echo response packet that it returns. What should be done now is to continue to observe the remaining packages in the Nmap scanner, and find the remaining information to be able to know the record of the victim network.

Continue

10: 52: 59.078125 IP (tos 0x0, ttl 49, id 9808, offset 0, flags [none], proto: TCP (6), length: 40) 192.168.111.17.37668> 192.168.111.23.80:. , cksum 0xfd46 (correct), ack 85042526 win 2048
0x0000: 4500 0028 2650 0000 3106 0407 c0a8 6f11 E . (& P.1 . o.
0x0010: c0a8 6f17 9324 0050 67d1 a55e 0511 a55e .o . $. Pg . ^ . ^
0x0020: 5010 0800 fd46 0000 P . F .

10: 52: 59.078125 IP (tos 0x0, ttl 128 , id 397, offset 0, flags [none], proto: TCP (6), length: 40) 192.168.111.23.80 > 192.168.111.17.37668: R , cksum 0x6813 (correct), 85042526: 85042526 (0) win 0
0x0000: 4500 0028 018d 0000 8006 d9c9 c0a8 6f17 E . (.. o.
0x0010: c0a8 6f11 0050 9324 0511 a55e 0511 a55e .o.P. $ . ^ . ^
0x0020: 5004 0000 6813 0000 0000 0000 0000 P . h ..

The above two packages appear after the ICMP packets that we observed in Part 1. Nmap sent an ACK packet to the victim network IP at 192.168.111.23 on port 80. In the form of fake information we don't have it. The whole problem here. It is only visible that the ACK package received from an attacker responds to an RST, because this ACK is not expected. In essence, it does not belong to a previously established connection. We still have a ttl 128 that corresponds to the ttl observed earlier.

10: 52: 59.296875 IP (tos 0x0, ttl 58, id 45125, offset 0, flags [none], proto: TCP (6), length: 40) 192.168.111.17.37644> 192.168.111.23.21: S , cksum 0x37ce (correct), 2010644897: 2010644897 (0) win 3072
0x0000: 4500 0028 b045 0000 3a06 7111 c0a8 6f11 E . (. E::. Q . o.
0x0010: c0a8 6f17 930c 0015 77d8 01a1 0000 0000 .o . w ..
0x0020: 5002 0c00 37ce 0000 P . 7 .

10:52: 59.296875 IP (tos 0x0, ttl 128 , id 398 , offset 0, flags [DF], proto: TCP (6), length: 44) 192.168.111.23.21 > 192.168.111.17.37644: S , cksum 0x4f58 (correct), 1685290308: 1685290308 (0) ack 2010644898 win 64240
0x0000: 4500 002c 018e 4000 8006 99c4 c0a8 6f17 E ., . @ .. o.
0x0010: c0a8 6f11 0015 930c 6473 7d44 77d8 01a2 .o . ds} Dw .
0x0020: 6012 faf0 4f58 0000 0204 05b4 0000 `. OX ..

10: 52: 59.296875 IP (tos 0x0, ttl 128, id 110, offset 0, flags [none], proto: TCP (6), length: 40) 192.168.111.17.37644> 192.168.111.23.21: R, cksum 0xca50 (correct), 2010644898: 2010644898 (0) win 0
0x0000: 4500 0028 006e 0000 8006 dae8 c0a8 6f11 E . (. N .. o.
0x0010: c0a8 6f17 930c 0015 77d8 01a2 77d8 01a2 .o . w . w .
0x0020: 5004 0000 ca50 0000 P . P .

Following the exchange of the ACK and RST packages, we can see that the true SYN packet was sent from the hacker to the victim network, as demonstrated in the package with bold S. This problem can be deduced that the SYN / ACK packet responds from the victim network on its port 21. This exchange process is then terminated by the RST packet sent back from the hacker computer to the victim network. These three packages now hold a lot of rich information about spoofing.

We also have TTL 128 from the victim computer, but also win64240. While this value is not on the list, it is indeed a size I have seen many times before from Win32 (32-bit versions of Microsoft Windows such as Win NT, 2K, XP and 2K3). Another limited feature of a Windows computer is that the ability to predict the number of IP IDs. In this case, we only have one IP ID value. We need at least another value before we can confidently say that this computer is a Microsoft Windows computer. Note that, observe the remaining packages from Nmap's scan.

10: 52: 59.312500 IP (tos 0x0, ttl 59, id 54025, offset 0, flags [none], proto: TCP (6), length: 40) 192.168.111.17.37644> 192.168.111.23.80: S, cksum 0x3393 (correct), 2010644897: 2010644897 (0) win 4096
0x0000: 4500 0028 d309 0000 3b06 4d4d c0a8 6f11 E . (.;. MM.o.
0x0010: c0a8 6f17 930c 0050 77d8 01a1 0000 0000 .o . Pw ..
0x0020: 5002 1000 3393 0000 P . 3 .

10: 52: 59.312500 IP (tos 0x0, ttl 128, id 399 , offset 0, flags [DF], proto: TCP (6), length: 44) 192.168.111.23.80 > 192.168.111.17.37644: S , cksum 0x7913 (correct), 1685345101: 1685345101 (0) ack 2010644898 win 64240
0x0000: 4500 002c 018f 4000 8006 99c3 c0a8 6f17 E ., . @ .. o.
0x0010: c0a8 6f11 0050 930c 6474 534d 77d8 01a2 .o.P.dtSMw .
0x0020: 60 12 faf0 7913 0000 0204 05b4 0000 `. y ..

10: 52: 59.312500 IP (tos 0x0, ttl 128, id 111, offset 0, flags [none], proto: TCP (6), length: 40) 192.168.111.17.37644> 192.168.111.23.80: R, cksum 0xca15 (correct), 2010644898: 2010644898 (0) win 0
0x0000: 4500 0028 006f 0000 8006 dae7 c0a8 6f11 E . (. O .. o.
0x0010: c0a8 6f17 930c 0050 77d8 01a2 77d8 01a2 .o . Pw . w .
0x0020: 5004 0000 ca15 0000 P ..

The first piece of information that the hacker observes is to see if the IP ID number increases to 399. This IP DI is indeed 399 as we can see in the middle of the package. With this information, the hacker is confident that the computer he is attacking is Windows NT, 2K, XP, or 2K3. Also observing in this packet sequence that port 80 on the victim network seems to have a service, as demonstrated by the SYN / ACK packet, the SYN / ACK packet is determined by verifying the flag field in the TCP header, in this case. The hex underlined value is 12 or 18 with decimal. This value can be detected by SYN flag 2 value added to ACK flag value 16.

Listed

When a hacker knows that both ports 21 and 80 are open for business, he will switch to the listed state. What he needs to know now is what kind of webserver is listening for connections. It is meaningless for this hacker to use an Apache vulnerability on an IIS web server. With that in mind, the attacker will open the cmd.exe session and find out the network type.

C:> nc.exe 192.168.111.23 80
GET slslslls
HTTP / 1.1 400 Bad Request
Server: Microsoft-IIS / 5.0
Date: Mon, 06 Aug 2007 15:11:48 GMT
Content-Type: text / html
Content-Length: 87

Giá trị là không đúng.

C:>

We can observe the type of network that was marked above or the nc.exe syntax that the hacker typed in the victim's IP address as well as port 80. Once entered, the hacker would add HTTP to the GET method. and followed by some grammatical sentences. This action can cause the victim's webserver to send back its system information when it does not understand what the request is. That's why they naturally list the necessary information for hackers. Hackers can now know that he is in Microsoft IIS 5.0. Great news because hackers have some exploits of vulnerabilities for this version.

Conclude

With the victim's network scanning using Nmap, hackers can receive a series of important data packages later. Inside these packets, as we have seen, contain enough information for hackers to take advantage of vulnerabilities in the architecture, operating system and network types as well as server types.

In summary, in this way, hackers can grasp the main information about the host, architecture and services provided. With this information in hand, hackers can launch an attack on the victim's webserver. In the next section, we will introduce more attacks that hackers can use to attack users in this case.

Analysis of an attack (Part 3)